Join Lisa Bock for an in-depth discussion in this video Recognizing secure websites, part of Foundations of IT Security: Core Concepts.
- When going to a webpage the address bar on a browser will show the Uniform Resource Locator or URL of the site being visited. In general, we use Hypertext Transfer Protocol or HTTP. A plain website will be HTTP but a secure connection will be identified as HTTPS or HTTP over Secure Socket Layer. This means any information that is sent between you and the website is encrypted.
And only you and the website can read the contents of the information exchanged as you both have the key that can decrypt the data. If someone intercepts the communication and obtains the message, they will not be able to read the message as they do not have the same shared key used to encrypt the data. I'm in my browser and I went to Google.com. As you can see, it says HTTPS which indicates a secure website. Up in the address bar we see a small lock and this gives us a security report.
Now, when I click on it, it gives us information about the identity of the website and also the website owner or organization. Just because you see a lock, that doesn't mean you should automatically trust a website. The lock guarantees the identity of a website by the certifying authority. Only give personal information to a website you know and trust. The color of the security status bar can indicate whether a certificate is valid or not, and the level of validation that was performed by the certifying authority.
Red, that means the certificate is out of date, is not valid or has an error. Yellow, the authenticity of the certificate or certifying authority that issued it cannot be verified. White, the certificate has normal validation and communication between the browser and the website is encrypted. And green, this shows extended validation, assures encrypted communication and the business passed a rigorous identification process conducted by the certification authority such as VeriSign.
Keep in mind that the certifying authority does not assure the website can be trusted, you need to use your own good judgment. Here we see a white status bar which indicates normal validation. Here were see a green status bar which indicates extended validation. Let's take a look at what will happen if we move our date out for 20 years. I'm going to change the date to 2035 to purposely make one of the certificates go out of date.
Now, let's see what happens. Right now, it looks like the certificate is within the date and it should be accepted. However, I just changed the date and now, I'm going to see what happens when I try to go to that website. Now, there's a problem with the security certificate of this website. It's asking, "What would you like to do? "To continue to this website which is not recommended "because the certificate is outdated." I'm going back to change the date to 2015 so that the certificate won't shown to be expired.
And now, I'm back at the website. Now, let's attempt to go back in to Google.com. As you can see, the expired certificate issue has been resolved.
Note: This course maps to a number of the exam topics on the Microsoft Technology Associate (MTA) Security Fundamentals 98-367 certification exam and is recommended test prep viewing.
- Evaluating risks, threats, and vulnerabilities
- Minimizing the attack surface
- Avoiding worms and viruses
- Protecting your system from spyware
- Making web browsers more secure
- Securing wireless transmissions
- Encrypting files, folders, and drives
- Using virtual private networks